Update BoringSSL to d0a175601b9e180ce58cb1e33649057f5c484146 (#483)

This patch has 3 parts: a commit to update the vendoring script, a
commit that contains the results of running the script, and then a fixup
for the API breaks we got.

Package.swift

@@ -26,7 +26,7 @@ import class Foundation.ProcessInfo
 // Sources/CNIOBoringSSL directory. The source repository is at
 // https://boringssl.googlesource.com/boringssl.
 //
-// BoringSSL Commit: 3309ca66385ecb0c37f1ac1be9f88712e25aa8ec
+// BoringSSL Commit: d0a175601b9e180ce58cb1e33649057f5c484146
 
 /// This function generates the dependencies we want to express.
 ///

Sources/CNIOBoringSSL/crypto/asn1/a_gentm.c

@@ -58,7 +58,7 @@
 #include <CNIOBoringSSL_bytestring.h>
 #include <CNIOBoringSSL_err.h>
 #include <CNIOBoringSSL_mem.h>
-#include <CNIOBoringSSL_time.h>
+#include <CNIOBoringSSL_posix_time.h>
 
 #include <stdlib.h>
 #include <string.h>

Sources/CNIOBoringSSL/crypto/asn1/a_strex.c

@@ -68,6 +68,7 @@
 #include <CNIOBoringSSL_mem.h>
 
 #include "../bytestring/internal.h"
+#include "../internal.h"
 #include "internal.h"
 
 
@@ -238,22 +239,8 @@ static int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) {
   // Placing the ASN1_STRING in a temporary ASN1_TYPE allows the DER encoding
   // to readily obtained.
   ASN1_TYPE t;
-  t.type = str->type;
-  // Negative INTEGER and ENUMERATED values are the only case where
-  // |ASN1_STRING| and |ASN1_TYPE| types do not match.
-  //
-  // TODO(davidben): There are also some type fields which, in |ASN1_TYPE|, do
-  // not correspond to |ASN1_STRING|. It is unclear whether those are allowed
-  // in |ASN1_STRING| at all, or what the space of allowed types is.
-  // |ASN1_item_ex_d2i| will never produce such a value so, for now, we say
-  // this is an invalid input. But this corner of the library in general
-  // should be more robust.
-  if (t.type == V_ASN1_NEG_INTEGER) {
-    t.type = V_ASN1_INTEGER;
-  } else if (t.type == V_ASN1_NEG_ENUMERATED) {
-    t.type = V_ASN1_ENUMERATED;
-  }
-  t.value.asn1_string = (ASN1_STRING *)str;
+  OPENSSL_memset(&t, 0, sizeof(ASN1_TYPE));
+  asn1_type_set0_string(&t, (ASN1_STRING *)str);
   unsigned char *der_buf = NULL;
   int der_len = i2d_ASN1_TYPE(&t, &der_buf);
   if (der_len < 0) {

Sources/CNIOBoringSSL/crypto/asn1/a_time.c

@@ -55,7 +55,7 @@
  * [including the GNU Public Licence.] */
 
 #include <CNIOBoringSSL_asn1.h>
-#include <CNIOBoringSSL_time.h>
+#include <CNIOBoringSSL_posix_time.h>
 
 #include <string.h>
 #include <time.h>

Sources/CNIOBoringSSL/crypto/asn1/a_type.c

@@ -56,7 +56,8 @@
 
 #include <CNIOBoringSSL_asn1.h>
 
-#include <CNIOBoringSSL_asn1t.h>
+#include <assert.h>
+
 #include <CNIOBoringSSL_err.h>
 #include <CNIOBoringSSL_mem.h>
 #include <CNIOBoringSSL_obj.h>
@@ -89,6 +90,23 @@ const void *asn1_type_value_as_pointer(const ASN1_TYPE *a) {
   }
 }
 
+void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str) {
+  // |ASN1_STRING| types are almost the same as |ASN1_TYPE| types, except that
+  // the negative flag is not reflected into |ASN1_TYPE|.
+  int type = str->type;
+  if (type == V_ASN1_NEG_INTEGER) {
+    type = V_ASN1_INTEGER;
+  } else if (type == V_ASN1_NEG_ENUMERATED) {
+    type = V_ASN1_ENUMERATED;
+  }
+
+  // These types are not |ASN1_STRING| types and use a different
+  // representation when stored in |ASN1_TYPE|.
+  assert(type != V_ASN1_NULL && type != V_ASN1_OBJECT &&
+         type != V_ASN1_BOOLEAN);
+  ASN1_TYPE_set(a, type, str);
+}
+
 void asn1_type_cleanup(ASN1_TYPE *a) {
   switch (a->type) {
     case V_ASN1_NULL:

Sources/CNIOBoringSSL/crypto/asn1/a_utctm.c

@@ -58,7 +58,7 @@
 #include <CNIOBoringSSL_bytestring.h>
 #include <CNIOBoringSSL_err.h>
 #include <CNIOBoringSSL_mem.h>
-#include <CNIOBoringSSL_time.h>
+#include <CNIOBoringSSL_posix_time.h>
 
 #include <stdlib.h>
 #include <string.h>

Sources/CNIOBoringSSL/crypto/asn1/asn1_lib.c

@@ -102,6 +102,15 @@ OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT)
 OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG)
 OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE)
 
+// Limit |ASN1_STRING|s to 64 MiB of data. Most of this module, as well as
+// downstream code, does not correctly handle overflow. We cap string fields
+// more tightly than strictly necessary to fit in |int|. This is not expected to
+// impact real world uses of this field.
+//
+// In particular, this limit is small enough that the bit count of a BIT STRING
+// comfortably fits in an |int|, with room for arithmetic.
+#define ASN1_STRING_MAX (64 * 1024 * 1024)
+
 static void asn1_put_length(unsigned char **pp, int length);
 
 int ASN1_get_object(const unsigned char **inp, long *out_len, int *out_tag,
@@ -273,9 +282,8 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, ossl_ssize_t len_s) {
     len = (size_t)len_s;
   }
 
-  // |ASN1_STRING| cannot represent strings that exceed |int|, and we must
-  // reserve space for a trailing NUL below.
-  if (len > INT_MAX || len + 1 < len) {
+  static_assert(ASN1_STRING_MAX < INT_MAX, "len will not overflow int");
+  if (len > ASN1_STRING_MAX) {
     OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW);
     return 0;
   }

Sources/CNIOBoringSSL/crypto/asn1/internal.h

@@ -76,18 +76,12 @@ extern "C" {
 // returned. On failure NULL is returned.
 OPENSSL_EXPORT struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result);
 
-// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to
-// a time_t value in |out|. One is returned on success, zero is returned on
-// failure. It is a failure if the converted time can not be represented in a
-// time_t, or if the tm contains out of range values.
-OPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out);
-
 // OPENSSL_gmtime_adj returns one on success, and updates |tm| by adding
 // |offset_day| days and |offset_sec| seconds. It returns zero on failure. |tm|
 // must be in the range of year 0000 to 9999 both before and after the update or
 // a failure will be returned.
 OPENSSL_EXPORT int OPENSSL_gmtime_adj(struct tm *tm, int offset_day,
-                                      long offset_sec);
+                                      int64_t offset_sec);
 
 // OPENSSL_gmtime_diff calculates the difference between |from| and |to|. It
 // returns one, and outputs the difference as a number of days and seconds in
@@ -210,6 +204,10 @@ void asn1_encoding_clear(ASN1_ENCODING *enc);
 // a pointer.
 const void *asn1_type_value_as_pointer(const ASN1_TYPE *a);
 
+// asn1_type_set0_string sets |a|'s value to the object represented by |str| and
+// takes ownership of |str|.
+void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str);
+
 // asn1_type_cleanup releases memory associated with |a|'s value, without
 // freeing |a| itself.
 void asn1_type_cleanup(ASN1_TYPE *a);

Sources/CNIOBoringSSL/crypto/asn1/posix_time.c

@@ -15,7 +15,7 @@
 // Time conversion to/from POSIX time_t and struct tm, with no support
 // for time zones other than UTC
 
-#include <CNIOBoringSSL_time.h>
+#include <CNIOBoringSSL_posix_time.h>
 
 #include <assert.h>
 #include <inttypes.h>
@@ -26,12 +26,12 @@
 #include "internal.h"
 
 #define SECS_PER_HOUR (60 * 60)
-#define SECS_PER_DAY (24 * SECS_PER_HOUR)
+#define SECS_PER_DAY (INT64_C(24) * SECS_PER_HOUR)
 
 
 // Is a year/month/day combination valid, in the range from year 0000
 // to 9999?
-static int is_valid_date(int year, int month, int day) {
+static int is_valid_date(int64_t year, int64_t month, int64_t day) {
   if (day < 1 || month < 1 || year < 0 || year > 9999) {
     return 0;
   }
@@ -62,25 +62,30 @@ static int is_valid_date(int year, int month, int day) {
 
 // Is a time valid? Leap seconds of 60 are not considered valid, as
 // the POSIX time in seconds does not include them.
-static int is_valid_time(int hours, int minutes, int seconds) {
+static int is_valid_time(int64_t hours, int64_t minutes, int64_t seconds) {
   if (hours < 0 || minutes < 0 || seconds < 0 || hours > 23 || minutes > 59 ||
       seconds > 59) {
     return 0;
   }
   return 1;
 }
 
-// Is a int64 time representing a time within our expected range?
-static int is_valid_epoch_time(int64_t time) {
-  // 0000-01-01 00:00:00 UTC to 9999-12-31 23:59:59 UTC
-  return (int64_t)-62167219200 <= time && time <= (int64_t)253402300799;
+// 0000-01-01 00:00:00 UTC
+#define MIN_POSIX_TIME INT64_C(-62167219200)
+// 9999-12-31 23:59:59 UTC
+#define MAX_POSIX_TIME INT64_C(253402300799)
+
+// Is an int64 time within our expected range?
+static int is_valid_posix_time(int64_t time) {
+  return MIN_POSIX_TIME <= time && time <= MAX_POSIX_TIME;
 }
 
 // Inspired by algorithms presented in
 // https://howardhinnant.github.io/date_algorithms.html
 // (Public Domain)
-static int posix_time_from_utc(int year, int month, int day, int hours,
-                               int minutes, int seconds, int64_t *out_time) {
+static int posix_time_from_utc(int64_t year, int64_t month, int64_t day,
+                               int64_t hours, int64_t minutes, int64_t seconds,
+                               int64_t *out_time) {
   if (!is_valid_date(year, month, day) ||
       !is_valid_time(hours, minutes, seconds)) {
     return 0;
@@ -108,7 +113,7 @@ static int posix_time_from_utc(int year, int month, int day, int hours,
 static int utc_from_posix_time(int64_t time, int *out_year, int *out_month,
                                int *out_day, int *out_hours, int *out_minutes,
                                int *out_seconds) {
-  if (!is_valid_epoch_time(time)) {
+  if (!is_valid_posix_time(time)) {
     return 0;
   }
   int64_t days = time / SECS_PER_DAY;
@@ -143,19 +148,21 @@ static int utc_from_posix_time(int64_t time, int *out_year, int *out_month,
 }
 
 int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out) {
-  return posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
-                             tm->tm_hour, tm->tm_min, tm->tm_sec, out);
+  return posix_time_from_utc(tm->tm_year + INT64_C(1900),
+                             tm->tm_mon + INT64_C(1), tm->tm_mday, tm->tm_hour,
+                             tm->tm_min, tm->tm_sec, out);
 }
 
 int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm) {
-  memset(out_tm, 0, sizeof(struct tm));
-  if (!utc_from_posix_time(time, &out_tm->tm_year, &out_tm->tm_mon,
-                           &out_tm->tm_mday, &out_tm->tm_hour, &out_tm->tm_min,
-                           &out_tm->tm_sec)) {
+  struct tm tmp_tm = {0};
+  if (!utc_from_posix_time(time, &tmp_tm.tm_year, &tmp_tm.tm_mon,
+                           &tmp_tm.tm_mday, &tmp_tm.tm_hour, &tmp_tm.tm_min,
+                           &tmp_tm.tm_sec)) {
     return 0;
   }
-  out_tm->tm_year -= 1900;
-  out_tm->tm_mon -= 1;
+  tmp_tm.tm_year -= 1900;
+  tmp_tm.tm_mon -= 1;
+  *out_tm = tmp_tm;
 
   return 1;
 }
@@ -187,43 +194,47 @@ struct tm *OPENSSL_gmtime(const time_t *time, struct tm *out_tm) {
   return out_tm;
 }
 
-int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) {
+int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, int64_t offset_sec) {
   int64_t posix_time;
-  if (!posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
-                           tm->tm_hour, tm->tm_min, tm->tm_sec, &posix_time)) {
+  if (!OPENSSL_tm_to_posix(tm, &posix_time)) {
+    return 0;
+  }
+  static_assert(INT_MAX <= INT64_MAX / SECS_PER_DAY,
+                "day offset in seconds cannot overflow");
+  static_assert(MAX_POSIX_TIME <= INT64_MAX - INT_MAX * SECS_PER_DAY,
+                "addition cannot overflow");
+  static_assert(MIN_POSIX_TIME >= INT64_MIN - INT_MIN * SECS_PER_DAY,
+                "addition cannot underflow");
+  posix_time += offset_day * SECS_PER_DAY;
+  if (posix_time > 0 && offset_sec > INT64_MAX - posix_time) {
     return 0;
   }
-  if (!utc_from_posix_time(
-          posix_time + (int64_t)off_day * SECS_PER_DAY + offset_sec,
-          &tm->tm_year, &tm->tm_mon, &tm->tm_mday, &tm->tm_hour, &tm->tm_min,
-          &tm->tm_sec)) {
+  if (posix_time < 0 && offset_sec < INT64_MIN - posix_time) {
+    return 0;
+  }
+  posix_time += offset_sec;
+
+  if (!OPENSSL_posix_to_tm(posix_time, tm)) {
     return 0;
   }
-  tm->tm_year -= 1900;
-  tm->tm_mon -= 1;
 
   return 1;
 }
 
 int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
                         const struct tm *to) {
-  int64_t time_to;
-  if (!posix_time_from_utc(to->tm_year + 1900, to->tm_mon + 1, to->tm_mday,
-                           to->tm_hour, to->tm_min, to->tm_sec, &time_to)) {
-    return 0;
-  }
-  int64_t time_from;
-  if (!posix_time_from_utc(from->tm_year + 1900, from->tm_mon + 1,
-                           from->tm_mday, from->tm_hour, from->tm_min,
-                           from->tm_sec, &time_from)) {
+  int64_t time_to, time_from;
+  if (!OPENSSL_tm_to_posix(to, &time_to) ||
+      !OPENSSL_tm_to_posix(from, &time_from)) {
     return 0;
   }
+  // Times are in range, so these calculations can not overflow.
+  static_assert(SECS_PER_DAY <= INT_MAX, "seconds per day does not fit in int");
+  static_assert((MAX_POSIX_TIME - MIN_POSIX_TIME) / SECS_PER_DAY <= INT_MAX,
+                "range of valid POSIX times, in days, does not fit in int");
   int64_t timediff = time_to - time_from;
   int64_t daydiff = timediff / SECS_PER_DAY;
   timediff %= SECS_PER_DAY;
-  if (daydiff > INT_MAX || daydiff < INT_MIN) {
-    return 0;
-  }
   *out_secs = (int)timediff;
   *out_days = (int)daydiff;
   return 1;

Sources/CNIOBoringSSL/crypto/base64/base64.c

@@ -307,6 +307,10 @@ static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,
                                    (in[2] == '=') << 1 |
                                    (in[3] == '=');
 
+  // In presence of padding, the lowest bits of v are unused. Canonical encoding
+  // (RFC 4648, section 3.5) requires that these bits all be set to zero. Common
+  // PEM parsers accept noncanonical base64, adding to the malleability of the
+  // format. This decoder follows OpenSSL's and Go's PEM parsers and accepts it.
   switch (padding_pattern) {
     case 0:
       // The common case of no padding.